Introduction

Risk Management must be an integral component of today’s business organizations. Organizations that do not have a formal risk management program is like trying to drive a car without a steering wheel. Recently, yet another financial scandal for a well-known American financial institution was publicly disclosed in the news media. According to the reports, this represents the third such high-profile scandal for this particular bank within the past 5 years. Overall, the series of financial scandals at this financial institution will go down in history as the most expensive financial scandal in U.S. banking history. Further research of the bank poses the question “Where was the enterprise risk management (ERM) function of the bank?” And what was the internal audit function doing during this timeframe? After all, the internal audit function represents the “last line of defense”. Finally, where were the divisional and group risk oversight functions? These functions are considered the second line of defense that would be responsible for managing the risks of the bank. Traditionally, banks are subjected to a high volume of regulatory oversight requirements, which usually requires robust governance, risk and compliance functions.

Risk Management must be an integral component of today’s business organizations. Organizations that do not have a formal risk management program is like trying to drive a car without a steering wheel. Recently, yet another financial scandal for a well-known American financial institution was publicly disclosed in the news media. According to the reports, this represents the third such high-profile scandal for this particular bank within the past 5 years. Overall, the series of financial scandals at this financial institution will go down in history as the most expensive financial scandal in U.S. banking history. Further research of the bank poses the question “Where was the enterprise risk management (ERM) function of the bank?” And what was the internal audit function doing during this timeframe? After all, the internal audit function represents the “last line of defense”. Finally, where were the divisional and group risk oversight functions? These functions are considered the second line of defense that would be responsible for managing the risks of the bank. Traditionally, banks are subjected to a high volume of regulatory oversight requirements, which usually requires robust governance, risk and compliance functions.

Our research further revealed that the bank had been assessed and paid out billions USD in fines and penalties during the period encompassing 2008 -2018. The bank has amassed a staggering $12.2 Billion USD in fines, penalties, sanctions and legal settlements for illegal and /or unethical business practices. Yes! You read the number correctly! Over $12 Billon USD, with an emphasis on the “B” for Billions $USD. This amount does not include amounts yet to be paid due to contingent liabilities resulting from pending lawsuits and other regulatory actions. Future liabilities are expected to be realized for additional regulatory penalties, punitive damages, class action lawsuits, and criminal charges and individual liability. The illegal and/or unethical business practices range from mortgage loan abuses for both commercial and government mortgages, illegal sales practices for every other product imaginable within the bank’s loan portfolio, including student loans, auto loans, and other loan products. Also, fines and penalties were realized for unethical and illegal business practices related to sales of mortgage-backed securities, mutual funds and other investment products.

Who Is the Culprit?

Background
The name of the bank is Wells Fargo & Company, Inc. (hereinafter “Wells Fargo”). Wells Fargo is the largest bank in the U.S., according to several key metrics used in the financial services industry—loan portfolio value and market capitalization. Wells Fargo’s loan portfolio size is approximately $904 Million USD; and total assets of $1.75 Billion USD; and a loan ratio of 51% (loans as a percent of total assets). Their estimated market capitalization is $262 Billion USD (2018).

Genesis of Governance, Risk & Compliance Issues
The genesis of Wells Fargo’s governance, risk and compliance issues dates back to 2008, when the company acquired Wachovia in a very shrewd tactic. Wachovia was originally scheduled to be acquired by Citibank as part of a negotiated agreement between the Department of Treasury and the largest U.S. banks in an effort to stabilize the financial industry in the immediate aftermath of the financial crisis in September 2008. Wells Fargo made a better offer to Wachovia (that did not require government intervention) and thus, acquired in a merger in an all stock deal valued at approximately $15.1 Billion to create the largest retail banking distribution system in the U.S. at the time. The downside of the transaction was that Wells Fargo also inherited some of the riskiest mortgage loan portfolios.

In fact, Wells Fargo inherited approximately $2.5 Billion USD in fines, penalties, sanctions and legal settlements resulting from legacy Wachovia’s business practices. Among the fines and penalties paid were: (1) $1.2 Billion USD to the State of California for mortgage-loan related abuses (2008); (2) $160 Million USD to settle charges for failure to adequately detect and monitor money laundering activities by their customers (2010) and; (3) $144 Million USD to settle charges that it failed to supervise telemarketers who used information to steal millions from Wells Fargo’s customer funds.

A Symptom of Organizational Culture
In addition to fines and penalties from legacy Wachovia, Wells Fargo had their own share of corporate misdeeds that resulted in additional liabilities totaling $9.6 Billion USD between 2008 and 2018. The largest fines and penalties from these scandals included: (1) $1 Billion USD fine levied by the Consumer Financial Protection Board for sales practice abuses for unnecessary products and services (2018); (2) $1.2 Billion USD by the Department of Treasury (USDOJ) for HUD loan servicing practices (2016); (3) USDOJ levied fines of $25 Billion and $8.5 Billion USD in 2012 and 2013, respectively to the five largest mortgage loan servicers for various mortgage loan abuses; and (4) $1.4 Billion buyback of auction-rate securities that were fraudulently sold to investors (2009).
As if the illegal and unethical sales and loan servicing practices were not enough, existing corporate governance systems (e.g. corporate whistleblower hotline) were ineffective, and other corporate governance oversight functions and management were negligent in adhering to their fiduciary responsibilities to the corporation and its shareholders. As a result, the root cause of these scandals may be traced to the breakdown of Wells Fargo’s corporate governance system. That being said, Wells Fargo is now in a position to implement structural changes in their corporate governance structure and to change their organizational culture. In fact, many organizations who have been in similar situations in the past, have used these opportunities to implement world class reforms. Therefore, Wells Fargo can begin the process of realizing sustainable reform, beginning with the corporate governance process. The reform must begin with the development and implementation of a holistic Enterprise Risk Management program.

"Ethics is the difference between knowing what you have the right to do and what is right to do".
Potter Stewart

What is Enterprise Risk Management?

COSO (Committee of Sponsoring Organizations) defines Enterprise Risk Management (ERM) as:
A process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.
COSO is a joint initiative of five private sector organizations dedicated to providing thought leadership through the development of frameworks and guidance on risk management.

Risk Management Framework
The COSO-ERM framework is an international risk management framework that is promulgated by COSO. The framework is designed to assist the users thereof to identify, prioritize and mitigate risks and opportunities that exists within their organizations or institutions. The framework elements are categorized into four primary domains: (1) Strategic; (2) Compliance / Regulatory; (3) Operations; and (4) Finance / Reporting. COSO-ERM framework is the most prevalent framework that is used today to assist business organizations, government institutions, and not-for-profit entities with managing risks and opportunities.
The COSO-ERM framework is an internationally-recognized risk management framework that is designed to identify, prioritize and mitigate risks and opportunities that exists to a business organization. The legacy COSO-ERM framework elements are aligned into four primary domains: (1) Strategic; (2) Compliance / Regulatory; (3) Operations; and (4) Finance / Reporting. In addition, there is the new COSO-ERM framework, which is called Enterprise Risk Management, Integrating with Strategy and Performance (released in 2017). The two COSO frameworks are designed to be complimentary to one another; and not a situation whereby the new framework is replacing the legacy one. In fact, the elements of the COSO-ERM 2017 framework are:A. Governance & CultureB. Strategy & Objective SettingC. PerformanceD. Review & RevisionE. Information, Communication & Reporting
Finally, there is the ISO 31000 framework, which is another framework that may be used. ISO 31000 framework uses a four-phase approach to identify and manage risks:
1. Risk & Opportunities Identification – identify the universe of risk and opportunities
2. Risk Prioritization – rank the risk and opportunities according to likelihood and impact
3. Risk Mitigation – identify current controls and design future controls to mitigate control gaps
4. Risk Monitoring & Reporting – monitor and report on key risk indicators and other metrics.

The Next Chapter

So, what does the next chapter for Wells Fargo hold? The next chapter appears to have many changes on the horizon. In fact, there has been quite a bit of change already underway. The Federal Reserve Board has imposed certain mandatory changes to Wells Fargo’s corporate governance system. For example, the company must replace four board members by the end of this year. In addition, the company’s total assets have been capped at $2 Trillion USD until the mandatory reforms have been completed. While there have already begun instituting some changes, many more structural, operational, financial, and compliance-related reforms are needed. These reforms will encompass the following areas: (1) People & Organizational Structure; (2) Business Processes; (3) Information Technology; and (4) Data.

People & Organizational Structure
As the company continues to replace key senior management positions at the CXO level, in particular within the CRO function, emphasis needs to be placed on completing an internal reorganization of the risk management function. The purpose of the reorganization would be to ensure that the CRO function is organized within the CXO suite and operational and divisional risk managers are appropriately aligned to the CRO. Finally, the new executive and tactical management personnel that are hired should fit into the new organizational culture that the company is in the process of implementing.

Business Process
Business process reengineering and business process improvement initiatives will need to be completed for the Wells Fargo’s customer-facing processes and their risk management processes. Business process reengineering (BPR) is a business management strategy that consists of the evaluation, analysis and redesign of workflows, processes and the related internal controls. The outcome of the BPR is to ensure that the business processes are more operationally efficient, cost effective, and well controlled. One of the key components of risk management that needs to be completed is an operational risk assessment. The redesign of business processes must be aligned with the design and configuration of any new systems/applications that may be implemented. In addition, operational processes that are at the root cause of the financial scandals (e.g. loan servicing and customer service processes will need overhauling).

Information Technology
Wells Fargo will need to take an inventory of their current risk management information systems and business applications. These systems and applications will need to be evaluated to determine whether they have the capacity to support Wells Fargo ERM program. If not, then management will need to search for an appropriate ERM system that can manage all company-wide governance, risk and compliance activities. Accordingly, Wells Fargo needs to perform a feasibility analysis to consider developing and implementing an enterprise GRC Solution (ORACLE GRC or SAP GRC), depending on their ERP solution. The primary benefits that are derived from such an approach is the consolidation of all GRC activities on a single platform.

Data
Finally, risk management data must be centralized in a common IT platform in order to facilitate an enterprise view of company risks. In addition, the centralization of data must ensure the complete, accurate, and timely reporting of risks and the accompanying risk responses of Wells Fargo’s management (in accordance with risk appetite).

Cloud Computing Risks

Cloud Computing continues to evolve and expand as more organizations migrate their enterprise IT operations to this new operations model. The adoption of this business model still has many risks and challenges associated with it. Among the key risks and challenges of Cloud Computing are: